[DC LoCo] Inquiry regarding PGP and how to install it, I tried, did not work

Thu Nov 4 15:19:56 GMT 2010

On Nov 04, 2010, at 10:55 AM, jerry w wrote:

>Creating a PGP key doesn't seem to be that difficult, but keysigning to get
>recognized by others then setting up Enigma or something on emails.  But I'm
>not PGP certified, as mentioned above.  Keysignings generally have specific
>instructions given with them...

Creating the key pairs is easy with GnuPG:

% gpg --gen-key

then follow the prompts.  The defaults should generally be sufficient, though
I tend to use 4096 bit keys for signing these days.

There are lots of references on the net about keysigning parties.  If you
install the `signing-party` package, you get some helpful tools.  I like
`caff` to do the actual job of signing the keys though it takes a little bit
of perl-fu to configure the first time.

Conferences and other get togethers are good places for the physical
validation of keys, and I have seen a wide range of paranoia by their
participants.  Generally, key signing parties involve the exchange of gpg
fingerprints printed out on little slips of paper, a passing 'round of
official government identification, and much joking about ages and goofy
pictures (i.e. the fun part of keysigning parties :).  Once you're safely back
home, you can use `caff` to sign all the keys you've collected.  This emails
the key holder, and then you're done.

You should definitely make sure your new keys are uploaded to the keyservers
before the party, and you should print out those little slips of paper.  (My
Canonical business cards have my fingerprints on them, if I'd only remember to
bring them. ;).  The trickiest part is of course setting up your mail reader
to handle signing and encrypting/decrypting.  I use Claws and it basically
Just Works.  I've heard it's not too difficult with Thunderbird or Evolution,
and a royal PITA with gmail.  Sigh.

Just be advised that some folks are really paranoid about establishing their
web of trust, and others not so much.  I've had Super Important Big Wigs
basically ignore my government issue ID on the premise that if I'm not who I
say I am, I must be a really really good actor :).  Other people stare at me
disapprovingly because my beard is a little longer now IRL than on my passport
or drivers license.  YMMV.

Yes, this stuff should be way easier, and you should just get it by default
out of the box, but it's not too hard to set up and I do think it's generally
a good idea to establish a set of well-signed keys.  I sign all my open source
email (easy to detect forgeries), sign all my software tarballs (including as
Python Release Manager), and do occasionally encrypt some of my email
traffic.  I also sign all my Bazaar commits, and if you pursue things like
becoming a Debian Developer, you'll have to integrated into the DD web of
trust.

Cheers,
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : https://lists.ubuntu.com/archives/ubuntu-us-dc/attachments/20101104/3335bb88/attachment.pgp 